Dual ISP mapped to two different VR route, ISP Failover is not working

AkashThangavel — Mon, 11 Sep 2023 07:44:20 GMT

Hi team,

Will ISP failover work, if 2 ISPs are mapped to two different VR routes? If no please say the workaround apart from changing the VR route to single.

Thanks and regards,

Akash Thangavel

Network Security Engineer

Re: Dual ISP mapped to two different VR route, ISP Failover is not working

ozheng — Mon, 11 Sep 2023 08:02:02 GMT

Hello AkashThangavel,

How's the routing between the main VR and second VR?
How's the failover supposed to be done when the link on the main VR is down?

Any specific reason to have 2 VRs?

There is a documented configuration for 1VR only.

Olivier

Re: Dual ISP mapped to two different VR route, ISP Failover is not working

AkashThangavel — Mon, 11 Sep 2023 08:12:13 GMT

Customer setup, will this set up work?

Re: Dual ISP mapped to two different VR route, ISP Failover is not working

149999mah3 — Tue, 12 Sep 2023 12:17:50 GMT

Im pretty sure both internet lines needs to be in the same VR. As far as i know, path monitoring only fails over inside the same VR.

Re: Dual ISP mapped to two different VR route, ISP Failover is not working

AkashThangavel — Thu, 14 Sep 2023 07:24:34 GMT

I need a PA document to share with the customer to accept as a SOLUTION.

regards,

Akash Thangavel

Network Security Engineer

Re: Dual ISP mapped to two different VR route, ISP Failover is not working

aleksandar.astardzhiev — Thu, 14 Sep 2023 09:04:44 GMT

Hi @AkashThangavel ,

Having separate Virtual-Routers for the two ISP should work for Internet failover.

As @ozheng and @149999mah3 already mentioned you don't really need to have two separate VRs, but it should still work.

Main VR:

- Assign primary ISP interface in main-vr

- Assign ISP interface to "Internet/Outside" zone

- Assign LAN (to your internal networks) interface in main-vr

- Create static default route pointing to primary ISP. Enable path-monitor on this static route

- Create second static default route pointing to "next-vr secondary-vr". Set metric higher than the default (let say 50)

Secondary VR:

- Assing secondary ISP interface in secondary-vr

- Assign ISP interface to the same "Internet/Outside" zone

- Create static default route pointing to secondary ISP. (optional enable path-monitor on this static route)

- Create static route for your internal summarized subnet (/8, /12, /16) pointing to next-vr main-vr.

NAT Policy

- Create rule:

- Source Zone "LAN/Internal" and source summairized internal subnet

- Destination Zone "Internet/Outside" and dest address any

- (Must) select egress interface to be the interface connected to primary ISP

- Enable Source translation to public from primary ISP

- Create second NAT rule:

- Same source lan zone and subnet

- Same destination internet zone and any address

- (Must) Select egress interface to be interface connected to secondary ISP

- Enable source translation to public IP from secondary ISP

When using primary ISP:

- Traffic from internal users will enter main-vr

- Traffic will follow default route with lower metric and egress to primary ISP

- First NAT rule will be used, because traffic will match the egress interface and apply translation to public IP from primary ISP

When primary ISP is down:

- Path-monitor will detect issues and "deactivate" the static route to primary ISP

- Traffic from internal users will enter main-vr

- Traffic will follow second default route pointing to next-vr (because it is currently only default available)

- Traffic will enter secondary-vr and follow default route pointing to secondary ISP (as only availalbe default in that vr)

- Second NAT rule will be applied, because traffic is now egressing via interface that does not match first NAT. This will apply translation to public IP from secondary ISP

When primary ISP is restored:

- Path-monitor will detect the availability of the monitored IP and will restore the default route

- Traffic from users will follow restored route to primary ISP

- First NAT will be applied as it will match the egress interface

topic Re: Dual ISP mapped to two different VR route, ISP Failover is not working in Next-Generation Firewall Discussions

Dual ISP mapped to two different VR route, ISP Failover is not working

Re: Dual ISP mapped to two different VR route, ISP Failover is not working

Re: Dual ISP mapped to two different VR route, ISP Failover is not working

Re: Dual ISP mapped to two different VR route, ISP Failover is not working

Re: Dual ISP mapped to two different VR route, ISP Failover is not working

Re: Dual ISP mapped to two different VR route, ISP Failover is not working